On May 7, 2024, the Federal Ministry of Interior, Building, and Community (BMI) announced that it published the draft law implementing the requirements of Directive (EU) 2022/2555 on measures for a high common level of cybersecurity in the Union (NIS 2 Directive) by amending the IT Security Act and IT Security Act 2.0. On the same date, the BMI initiated a participation procedure with states and associations regarding the draft law.  

Background

On January 16, 2023, the NIS 2 Directive, imposing new and enhanced cybersecurity-related obligations on companies and other private or public entities, came into force. According to the NIS 2 Directive, EU Member States must implement it into local law by October 18, 2024.

Key provisions

The BSI highlighted that the draft law introduces, among other things:

• categories 'important facilities' and 'particularly important facilities,' accompanied by a significant expansion of the scope of application, which was previously limited to operators of critical infrastructures, providers of digital services, and companies in the special public interest;
• catalog of minimum the NIS 2 Directive security requirements, categorized by their proportionality and including risk analysis concepts, measures to maintain operations (e.g., backup management), and concepts for the use of encryption;
• three-stage reporting system of the NIS 2 Directive, replacing previously single-stage reporting requirement - the plan is to provide an initial report within 24 hours, an update within 72 hours, and a final report to be submitted within one month, thus aiming to minimize the administrative effort for the institutions;
• the expansion of the Federal Office for Information Security (BSI) range of instruments with regard to the supervisory and enforcement measures, including the new fine framework, which may be based on a percentage of a company's global annual turnover;
• legal anchoring of essential national requirements for federal information security management and mapping of the associated roles and responsibilities; and
• the establishment of a Chief Information Security Officer for the federal government as the central coordinator of the implementation of information security measures in federal administration facilities.

Next steps

Once the statements from the state and associations are collected, they may be incorporated into the law's final version. If the law then passes governmental and parliamentary approvals, it will be signed into law and come into force from the moment of its publication in the Federal Law Gazette.

You can read the press release here and the draft law here, both only available in German.